SAS 70 Comprehensive Guide For Audit Preparation and Completion

The SAS 70 auditing standard, put forth in 1992 by the American Institute of Certified Public Accountants, has gained great prominence and popularity in recent years. This is due in large part to the enormous growth of regulatory compliance legislation, particularly the Sarbanes-Oxley Act of 2002 (SOX), along with other notable provisions, such as HIPAA and Gramm Leach Bliley (GLBA). Also sprinkled onto these laws are numerous state legislative rulings advocating a wide range of privacy and security measures that have also impacted the growth of SAS 70 Type I and Type II audits.

What's important to note is twofold: First and foremost, regulatory compliance and corporate governance are here to stay and will continue to aggressively grow in the coming years ahead. Second, statement on auditing standards no. 70, simply known as SAS 70 to many, has become a permanent fixture in the growing compliance game.

SAS 70 for Service Organizations

If you are an organization providing services to another entity, then it's safe to assume in the technical jargon of SAS 70 audits, you would be identified as a service organization. In essence, this is a company that typically provides critical outsourcing services to upstream, user organizations. Common examples of a service organization for purposes of SAS 70 would be a payroll company, a third party administrator (TPA), a co-location or data center providing managed services, or a medical billing processor entity, just to name a few. Again, what they all have in common is their ability to provide a needed service to another organization.

SAS 70 Compliance-Where to Start?

If your organization is being asked to be SAS 70 compliant, you need to find out what the long-term expectations are of the entity requesting you to be compliant. Is this a one time event only? Are they asking for annual SAS 70 compliance? Do you have to be SAS 70 Type II compliant for the first audit or will a Type I audit suffice?

Once you have a strong understanding of these above parameters, you can begin to look for a qualified CPA firm to conduct the audit. Buyer beware. You get what you pay for, so going for the low cost provider may very well end up giving you a report of poor quality, which could ultimately do more harm than good. And why is that? Because the intended users of these reports who rely on them are traditionally well-skilled at reading and digesting these reports, so they better be high quality. Obtain proposals from firms that are not too small, but not too large. A national boutique CPA firm that specializes in SAS 70 audits would be a good choice. There fees would be reasonable, they would conduct the audit in an efficient manner and prepare the final report in an acceptable timeframe.

SAS 70 Hot Button Issues

But before you sign on the dotted line, make sure you obtain at least three proposals, and be certain you discuss the following points with every CPA firm that you are receiving a fee quote from:

SCOPE-Is the audit going to be a general controls audit or is it going to include an examination of specific business processes or business drivers. This is critically important as it can significantly change the fee of the audit. Many CPA firms will give you a proposal, but it may be for a straightforward, general controls only, so make sure this is discussed.

PRICING-Is the fee a fixed fee that is, are all out of pocket and travel related expenses include in the audit fee. If not, make this a requirement. Why? Because fees that are agreed to that do not include a fixed fee provision will end up costing an additional 10% to 20% over the proposed fee. Remember, auditors have to travel, sleep in hotels and feed their bodies, and this can get expensive.

TEST PERIOD-If looking for a proposal for a SAS 70 Type II audit, you will need to identify and agree on the test period. SAS 70 Type II audit test periods traditionally range from six (6) to twelve (12) months; however, extenuating circumstance can result in a shorter test period. The test period is critical for identifying because it also drives prices, to a marginal degree. Think a proposal from a CPA firm for a 6 month SAS 70 Type II audit will be the same fee as a twelve month audit? Absolutely not. Again, identify the time period for testing before you receive the proposals from any firm.

SAS 70 READINESS QUESTIONNARE-Does the audit proposal include a fee for undergoing a comprehensive sas 70 readiness questionnaire assessment? If not, you will need to discuss this important point. For any organization going through a SAS 70 for the first time, a readiness is a must for ensuring a successful audit.

I found My Firm, Now Where Do I Begin?

So, you are on your way to SAS 70 Type I or Type II compliance. The first step that needs to be undertaken is to complete a series of SAS 70 Readiness questionnaire forms and templates. These questionnaires will help drive and guide the audit process. They are considered invaluable tools for audit preparation, and any reputable SAS 70 CPA firm will be able to provide them for you. Some firms charge a fee for conducting a SAS 70 readiness questionnaire session, while others may provide the templates for free of charge, leaving the service organization to conduct their own SAS 70 readiness. The choice is yours. Another benefit of the SAS 70 readiness is that it helps your organization identify gaps or deficiencies within your control environment that require remediation or correction before the audit begins. There's no sense in rushing into a SAS 70 Type I or Type II audit without properly preparing for it. That's exactly what the readiness assessment does. So, what should the SAS 70 readiness questionnaire forms and templates cover? They should cover all aspects of a general controls SAS 70 audit along with any specific provisions for business processes or business drivers that will be included in the scope of the audit. Listed below are the general controls areas that should be covered in the readiness phase. Please note that not all areas may be applicable to your organization:

Organization and Administration-Executive Tone

Organization and Administration-Human Resources

Systems Development Life Cycle

Incident Management

Change Management

Logical Security

Network Security

Physical Security

Environmental Security

Computer Operations

Business Continuity and Disaster Recovery (This is optional, as SAS 70 guidelines states that “plans" are not control objectives. )